The breach in question is documented here: https://youtube.com/watch?v=lUiLBBab1RY
I don’t think there’s a text write-up, but tl;dw a combination of missing input sanitization and no-code UI trickery made it possible to leak other users’ bot tokens, and despite patching the exploit pretty quickly on exposure, BotGhost’s developer tried to cover it up and refused to reset potentially affected tokens.
I really dislike the way they try and play this down in the doc:
So now botghost is doing a pentest. But I dunno... my guess at the likelihood of doing a good job backfilling security into a codebase that wasn't built with that as a core concern is also low.
I suppose they could have logged only if a bot token was detected in output. But if you'd think to do that, then why not also just block the output?
But it is correct that the article does not reiterate the technical details of the exploit.
A while back there was a service called 'Spy Pet' that ran hundreds of discord bots selling access to searchable data logs. I wonder if discord is primarily concerned about the massive logging capability of services like these.
That cuts out a lot of the value for LLM training; and will reduce the blast radius if Discord ever decides to fully pull the plug on message access.
Tech will turn into a casino where the house (aka the platform) always wins.
I only ever did this on my own server for good reason, but still.
Really a bot doesn't have any more access than a user does. You as a user can manually scroll back through the entire server history, you can check on roles, and you can see the names of channels that are hidden from you.
But it becomes a problem when bots are doing this at scale and selling the resulting data. Sort of like some other bots that people like to argue are doing the same thing a human could.
> Unfortunately, the only method currently offered by Discord involves committing them to a public GitHub repo, which is not a viable or secure option.
For whatever it's worth, I actually think this dev is understating the impact of their security issues. They had 2 token leaks - albeit conditional and with prerequisites. Given the sorts of tokens that a user has to supply to use this sort of generic app builder, this is pretty serious.
That said, I think inconsistent enforcement, when it favors them, is a really bad look on Discord. It totally looks like they're doing cover-their-ass, whack-a-mole, public relations-driven enforcement.
None of that matters in the slightest. They're dealing with an indifferent, capricious, unaccountable company. And trying to do it without enough leverage to even get a response.
It seems like it's about to end the way it was always going to.
i was sorta curious on the policy changes over time, since botghost has been around since '18. all i can say is good luck to botgost
histories of policies-ish:
- from the tl;dr (they also explain #4 as well in the non-tl;dr):
> Discord issued a breach notice to BotGhost, claiming the platform violates Developer Policy 4 by handling bot tokens, which has been a core part of how BotGhost has worked since 2018.
- policy from discrap: https://support-dev.discord.com/hc/en-us/articles/8563934450...
> 4. Do not collect, solicit, or deceive users into providing passwords or other credentials. Under no circumstances may you or your Application request or attempt to obtain login credentials from Discord users. This includes information such as passwords or account access or login tokens.
- policy in 2022 (of that page, but note the random digits in the numbers make it terrible to easily see history), thanks archive.org!: https://web.archive.org/web/20221001073449/https://support-d...
> Do not collect, solicit, or deceive users into providing user login credentials. Under no circumstances may you or your Application solicit, obtain, or request login credentials from Discord users in any way. This includes information such as passwords or user access or login tokens.
- and archive.org of github of the before 2022 change (mentioned in the above archive) (does not really mention collecting of user auths - as per my quick glance [i welcome a double check]): https://web.archive.org/web/20220921062136/https://github.co...
edit: fix copy-pasta
The existence of terms like this make any discussion of the other terms look pretty silly.
Their policy is simply that they do whatever they want, and that hasn't changed.
yup! and don't forget they can change their policy whenever they want too
also they rank D on this site: https://tosdr.org/en/service/536
Rules are there for a few reasons, but precisely enumerating the things you can and cannot do isn't one of them. (That's why programmers definitely shouldn't litigate pro se.)
One purpose is to try to indemnify the institution making the rules: "See, we said you're not allowed to do X. Damages resulting from X aren't our fault." Another purpose is to deter bad behaviour: if they say you're not allowed to do X, you're less likely to do X. A third purpose is to provide cover for their actions - most easily by writing a rule that literally everyone breaks and then selectively enforcing it, or by writing vague rules you can selectively interpret. If they can punish you and then point to a rule you allegedly broke, you're more likely to accept it and less likely to retaliate. Notice how all of these purposes have to do with manipulating other people. (Are you reminded of any countries?)
You should do it too, if you want to be successful in an amoral business environment. Don't hate the player, hate the game.
Unless your customers pay extra for well-defined rules to create a stable environment for themselves. In that case, you should do that, and take their money. That sort of thing is, for example, why some people would rather pay more for a technically inferior Fairphone or Librem than a flagship Android phone or iPhone.
> BotGhost cannot export bot configurations due to its no-code structure. If shutdown happens, all bots and user data will be permanently lost.
I don't think I understand this part - what does the "no-code" mean in this context? How can this data not be stored somewhere for the service to function at all? Does this mean that BotGhost also has no backups, and a technical glitch could cause a similar problem?
Never build your main business on somebody else's platform.
Always assume that you will get shutdown / rugged when you do so.
You're being facetious, but OP is right. For software platforms, this has been a constant. It happened with Twitter, Facebook, Google (Search/Ads, Maps, Chat), Reddit, LinkedIn - basically ever major software platform started off with relatively open APIs that were then closed-off as it gained critical mass and focused on monetization.
If your move is to simply retreat, and give up all this ground, what market is left for you? People who get their news and ads by paper mail, shop only at tiny independent stores, paying in cash? How many businesses can survive with ~5% (a generous estimate of the described market's relative size) of their current traffic?
[1] https://www.bentbusinessmarketing.com/why-your-fans-arent-se...
Pretty much every business is built on shaky foundations. If you never built business on shaky foundations, you'd never do anything at all. You needed an IBM-compatible PC to use Windows! You need a web browser to use Hacker News. Y Combinator is only meaningful as long as dollars are worth something.
If you make a business that runs on IBM PCs, make a few billion dollars, then 10 years later IBM rugpulls the PC line and sues everyone who copied it... was there really a "lesson" that needed "learning" or did you simply succeed at business and make a few billion dollars?
Yep. It’s a lesson that keeps being re-learned the hard way.
It’s bad advice.
I'm not sure which platforms those companies built their businesses on .. are you equating build an app on iOS or Android with building an app that relies on, say, Facebook APIs and only works on Facebook?
When Uber came out and for years afterward, there were no location APIs in mobile browsers.
When Instagram came out, there was no way to access the camera or photos in web apps.
Are there any (profitable) phone apps that are not build on top of the app/play store?
Android also supports third party stores/standalone installers and iOS is fighting an ongoing legal battle due to its lack of a permanent equivalent.
You have to build on something, and there's going to be a corporation somewhere in your stack.
Discord, Twitter, Reddit, etc. that have become hostile to third parties have free APIs to reel in developers to make their platform more attractive to users, and once they’ve reached critical mass, they turn around and fuck over those developers. This is because their primary business model is serving their users, and developers eventually “get in the way”.
So the person you’re replying to should add an addendum: never build your app/business on top of third parties IF their primary business models aren’t providing services to developers.
Chat bots on your own hosted platform which has no users isn't something people will want to buy. I mean, some people will want to buy it for click to chat on their websites or something. But if there's a market for chat bots in general spaces, you have to address that market where people are chatting, which is Discord, apparently.
Create new account: all servers stuck in preview mode permanently
Create new account: instantly auto-banned
Create new account: phone-walled immediately
Create new account: banned immediately after providing phone number
Ban appeal: "our automated system is working properly, appeal denied"
Doesn't matter what computer/ISP/OS/browser/etc. I use, the experience is always one of these.
However, they do claim that Mee6 (the biggest Discord bot by # of servers, iirc) offers a similar feature but Discord is letting them slide?
Not saying it's the right thing to do, but it seems to be their reasoning.
Can you imagine the value to LLM companies?
It’s probably the single largest collection of sexting content outside of WeChat (and Apple’s archive of iCloud Backups that contain all of the iMessages).
What they do is the same as a "cease and desist": they warn you that Discord might consider suing you or might try to ban you by technical means.
It's all about business, not what the terms say. If Discord thinks BotGhost is good for Discord's bottom line, they'll let it exist. If they think it's bad, they'll stop letting it exist. I haven't the slightest clue why Discord now thinks BotGhost is bad for Discord's bottom line, but it's probably got something to do with legibility (in the Seeing Like A State sense) to investors for their IPO. Or they're working on a competitor internally.
I get the non-techie blindspot that all of us have in some form or another. With that in mind: it took three days to give my brother a crash course in Linux + Docker for his own home server (and even then he only knew the very basics). He’s fairly proficient in tech: builds his own desktops, knows the basics of code, doesn’t shy away from digging into the why, etc.
It would be unrealistic (and frankly irresponsible) to expect someone to setup _and understand_ a Docker server setup from a 10-minute video.
I don't remember having trouble installing docker on debian.
Basically, you are likely in competition with something they are making, or are otherwise bad for business. The specific policy violation they choose doesn't matter– you are getting dicked down because they want it to be so.
discord ain't a monopoly in any relevant sense of the word
I think Discord has a fair argument that if BotGhost "writes the code" (read: translates workflows to actual execution), and BotGhost operates the bot, then really it's BotGhost's bot and they should own the bot and have it be visible to users as their bot.
I use an adblock, so I don't see any ads on Reddit.
> I can't think of any way to look at this where Reddit is the lesser evil.
Reddit is the lesser evil for my personal use case because more and more Discord servers require a verified phone number to send messages. I can't get help if I can't send a message.
Even if it was, "Requires a verified phone number" is not "Evil". You might not like it, it might be incomprehensible, it might be exclusionary, but it's not "Evil".
Discord on the other hand does everything IRC does but people have made it take the place of forums, blogs, file repos, etc etc. All this information is locked up in a platform that can't be searched or often even accessed without signing up for the platform. Unlike IRC however Discord is not a protocol that others can tie into - it's a platform and they can/do actively lock people out of it.
Bouncers and log bots have been a thing even 20 years ago when I was active on Freenode. In fact, a bouncer and log bot was what made me get my very first own VPS... time flies. It lasted a year until my first attempt at a libc upgrade failed, that was a lot of work to fix.
Being able to get a text file log dump easily is also light years ahead of what most people are able to do on discord.
In order to get log bots or bouncers up and running it required some technical know how (meaning most people didn't do it, thus staying ephemeral as default) but those that did do it were well aware how to get and export those log files for archiving etc (thus why we have things like bash.org).
On Discord it's default and while yes someone could setup bots or something to export some of the content - that requires some technical know how (meaning most people won't do it). Thus everything in there goes away when the service closes.... even though the DEFAULT EXPECTATION is that information there is forever.
> Over 3 million users and bots created
which struck me as thoroughly disingenuous. Surely they know how many users they have, and how many bots have been created. Why conflate the two?
But it's hard to ignore actual people on the street in front of your office calling out your bullshit. In addition, it gives nice pictures for the press, and that's the only thing investors actually fear.
What's even stranger to me is that Discord was putting on a full-court press to get developers onto their platform over the last twelve months. This kind of response is certainly not going to help make devs feel all warm and fuzzy about continuing to build on Discord.
Mastodon metastasized the user store but each site is still a tiny centralized user store. That’s how user stores work. Doesn’t mean they’re automatically monopolistic.
Discord’s taking the Reddit-Apollo approach to forcing them offline — half-assed conversations for months followed by an abrupt fuck-you moment with little recourse — which given Discord’s free of charge growth mechanism, means that — just like Reddit — they’re likely going to shutdown anything by that’s providing a valuable service to a significant fraction of their users, either to Sherlock and charge money for it, or simply to terminate what they view as an obstruction.
You can see the list of covered companies at https://en.wikipedia.org/wiki/Digital_Markets_Act#Identified...
It's basically Apple, Amazon, Google, Meta, Bytedance and Microsoft.
